Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group a.dent@rhul.ac.uk.

Strongly Secure Certificateless Encryption

Alexander W. Dent

Information Security Group

a.dent@rhul.ac.uk

This is joint work with…

Benoit LibertUCL, Belgium

Kenny PatersonRoyal Holloway

Table of Contents

• Certificateless encryption (7 slides)

• A theoretical construction (4 slides)

• A practical construction (1 slide)

• Conclusions (2 slides)

Certificateless Encryption

Certificateless Encryption

• Public-key encryption– Receivers generate their own keys– Senders are required to download certificates

• Identity-based encryption– KGC generates decryption keys– Inherent key escrow problem– Senders not required to download certificates– Revocation could be a problem

Certificateless Encryption

• Certificateless encryption– Each user generates their own public key

from a randomly generated “secret value”.– KGC provides a partial private key for a user’s

identity.– Encryption requires the user’s public key and

the user’s identity.– Decryption requires a private key based on

the user’s secret value and partial private key.

Certificateless Encryption

• Certificateless encryption– Senders not required to download certificates– No inherent key escrow problem– Revocation potentially still a problem

• Two security models:– Security against an outsider attacker– Security against a KGC

Certificateless Encryption

(ID*, m0 , m1) C*

Encryption oracle

Extract partial private key

IDdID

Extract full private key ID

skID

Request public key

ID

pkID

Replace public key

(ID , pkID)

Decrypt

C m

Certificateless Encryption

• Assume queries that trivially win the game are not allowed:– E.g. finding the full private key for ID*.– E.g. finding the partial private key for ID* and

replacing the challenge public key.– E.g. finding the decryption of C*.

• Similar model for the KGC. Attacker is given the KGC’s master private key.

Certificateless Encryption

• How do we define the decrypt oracle?– Original paper defined the decryption oracle

as decrypting ciphertexts using the private key associated with the current public key.

– Known as strong decryption oracle.– Doesn’t appear to reflect any realistic attack.– Several schemes secure in the random oracle

model using strong decryption oracles.– We provide the first standard-model schemes.

Certificateless Encryption

• Why is this an interesting problem?– The original security model.– Intellectual challenge: several papers and

informal conversations have suggested that the community thinks this can’t be achieved.

– Model with non-polynomial-time challenger.– Proves security in weaker models.

Theoretical Construction

Theoretical Construction

• We use a Naor-Yung/Sahai construction.

• Use multiple passively secure encryption schemes and a NIZK proof system.

• One passively secure certificateless encryption scheme: CE.

• Two instances of a passively secure public-key encryption schemes: E.

Theoretical Construction

• ID and pk are the user’s identity and public key.

• mpk1 and mpk2 are part of the system parameters

• Decryption process uses the certificateless encryption scheme

CE E E

m

C1 C3C2

IDpk mpk1 mpk2

NIZK proof that (C1,C2,C3) are all encryptions of the same message.

+

Theoretical Construction

• Two independent instances of the public-key encryption scheme required for strong decryption oracles.

• This could be replaced with one instance of an IND-CCA2 secure public-key encryption scheme.

• One instance of the public-key encryption scheme is sufficient for weaker models.

Theoretical Construction

• Passively secure certificateless encryption schemes can be constructed from passively secure public-key encryption and identity-based encryption [LQ06].

• Passively secure public-key encryption schemes can be constructed from trapdoor one-way functions [GL89].

• NIZK can be constructed from trapdoor one-way permutations [FLS99,BY96,S99].

Practical Construction

Practical Construction

• Based on a 2-level Waters HIBE.

• Chosen ciphertext security achieved using Boyen-Mei-Waters techniques.

• Underlying assumptions:– 3-Party DDH assumption in a pairing group:

“Given randomly chosen (gx, gy, gz), distinguish gxyz from a random element”.

– Collision resistant hash functions.

Conclusions

Conclusions

• It is possible to build certificateless encryption schemes that are secure with strong decryption oracles in the standard model.– Is it really necessary to improve on the

constructions?– Intellectual challenge: is it possible to prove

security in a model where the KGC is allowed to pick the system parameters adversarially?

Conclusions

• Certificateless encryption schemes exist providing that trapdoor one-way permutations exist and passively secure identity-based encryption exist.– We are unaware of any proof that gives

minimal conditions for identity-based encryption to exist.

– Can we find minimal assumptions for the existence of certificateless encryption?

Questions?